Archive

jppiiroinen writes “It seems that Nokia is slowly killing existing applications for their Linux based N9 mobile phone which are available thru their store. As a developer who has published paid (and free) apps, it looks like that after their final blow of killing the support for paid applications in China, where the main revenue came from, there is not any means to make money, and no reason to maintain apps anymore. What this means also for the end-users: no premium apps, like Angry Birds. There was no heads-up or anything, just a single email without any means to make a complain. Nokia, So Long, and Thanks for All the Fish.” Also being discussed at Maemo.org.

MojoKid writes “Despite the fact that I’ve been using Windows 8 for the past three weeks, I somehow managed to overlook a rather stark feature in the OS: ads. No, we’re not talking about ads cluttering up the desktop or login screen (thankfully), but rather ads that can be found inside of some Modern UI apps that Windows ships with. That includes Finance, Weather, Travel, News and so forth. On previous mobile platforms, such as iOS and Android, seeing ads inside of free apps hasn’t been uncommon. It’s a way for the developer to get paid while allowing the user to have the app for free. However, while people can expect ads in a free app, no one expects ads in a piece of software that they just paid good money for.”

CowboyRobot writes “A pair of reports by Juniper and Bit9 confirm the suspicion that many apps are spying on users. ’26 percent of Android apps in Google Play can access personal data, such as contacts and email, and 42 percent, GPS location data… 31 percent of the apps access phone calls or phone numbers, and 9 percent employ permissions that could cost the user money, such as incurring premium SMS text message charges… nearly 7 percent of free apps can access address books, 2.6 percent, can send text messages without the user knowing, 6.4 percent can make calls, and 5.5 percent have access to the device’s camera.’ The main issue seems to be with poor development practices. Only in a minority of cases is there malicious intent. The Juniper report and the Bit9 report are both available online.”

Trailrunner7 writes “There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations. The researchers conducted a detailed study of 13,500 of the more popular free apps on Google Play, the official Android app store, looking at the SSL/TLS implementations in them and trying to determine how complete and effective those implementations are. What they found is that more than 1,000 of the apps have serious problems with their SSL implementations that make them vulnerable to MITM attacks, a common technique used by attackers to intercept wireless data traffic. In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials.”

Malware permeated the mobile ecosystem in 2011. The issue is not going away either. Smartphones have an unprecedented amount of personal data that malicious hackers are drooling to obtain. Everyday they are coming up with more sophisticated attacks and scheming ways on how to infiltrate that data trove in your pocket.

Juniper’s Mobile Threats Report for 2011 shows that malware increased in 2011 by 155%. Most of that increase was found with Android vulnerabilities though the entire mobile ecosystem is vulnerable to security breaches. 46.7% of all threats that Juniper analyzed in 2011 were Android, ahead of 41% for Java ME. While Juniper does not have stats for Apple’s iOS, it does say that there are dangers that could harm your iPhone as well.

From 2010 to 2011, Juniper saw instances of mobile malware in its network rise from 11,138 samples to 28,472. Juniper’s Mobile Threat Center (MTC) examined 793,631 applications across every major mobile operating system. The sources of these applications range from the official mobile OS app stores, third-party app stores, know repositories of malicious apps, malware submissions from customers and partners and “zero day” apps identified by Juniper’s Junos Pulse system.

Spyware most common form of mobile malware at 63.39%. Spyware makes sense on mobile devices because hackers are looking for access to contacts, passwords and site activity. Like any spy, malicious hackers want to know as much about you as they can. That information, such as GPS records, text messages and browser history, becomes powerful for malicious hackers looking to exploit the device for monetary gain. In the same vein, the “SMS Trojan” was the next biggest threat at 36.43%. SMS Trojans run in the background of an application and send text messages to premium services owned by the attacker. Many SMS Trojans come from “fake installer” programs, pirated and paid version of free apps (like Opera Mini) that then take over a devices communications channels.

The reason that Android was so popular for malware is because of the openness of the Android Market makes it easy for hackers to slip malicious applications in. Google’s “bouncer” has been mostly successful in protecting users but even a malware scanner across the entire Android Market cannot identify zero day attacks. A zero day is a vulnerability that was previously undiscovered and hence difficult to track until someone exploits it. In the last seven months of 2011, Juniper saw 13,302 samples of Android malware, more than the entire mobile malware ecosystem in 2010 combined.

Juniper admits that iOS is safer from malware than any other platform based on how Apple institutes its rules to publish on its App Store. Juniper notes that those that jailbreak their iPhones are more susceptible to malware and that there are several spoof sites that can jailbreak an iPhone but also leave malware in its kernel.

“There are virtually no meaningful endpoint security products for the iOS platform because Apple does not provide developers with tools to create them,” the report states. “This lack of software protection and a competitive security market leaves users with little protection if malware were ever to make it through Apple’s application vetting process. In the long, this could create a false sense of security for Apple users and prove to be an even bigger risk than Android’s open model.”

It must be pointed out that while iOS is safer and indeed lacks endpoint security, it is in the best interest of Juniper (and every other company that provides mobile malware protection) to put pressure on Apple to give the tools to create iOS security apps. There is big money in security and if there is ever a hint of malware on iOS devices, the security companies stand to profit from that.

Other forms of malware that can affect mobile devices include direct attacks, such as SMS spam or attacking applications with malicious content or packets. Applications, by definition, are software and as with any software are open to be hacked by external forces. There is also vulnerability through the browser. Juniper points out that the Webkit engine that is used by Android, BlackBerry, iOS and webOS has vulnerabilities that can be exploited through visiting an infected site.

Connectivity hacks are also vulnerabilities in the system. Connectivity vulnerabilities come from Wi-Fi sniffing on an unsecure network or “man-in-the-middle” attacks where malicious hackers insert themselves inbetween the device and its point of connection to the outside world.

Juniper expects to see more malware come to the mobile ecosystem in 2012. There is just too much rich data ripe for the plucking for malicious hackers to stop their efforts. Targeting applications and payments processors will grow as hackers create ingenious ways to attack user data for financial gain.

Sparrowvsrevolution writes “In the wake of news that the iPhone app Path uploads users’ entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users’ private data. Not only did the researchers find that one in five of the free apps in Apple’s app store upload private data back to the apps’ creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on ‘jailbroken’ iPhones, tend to leak private data far less frequently than Apple’s approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user’s Unique Device Identifier, for instance, compared with only four percent of unauthorized apps.”

After an enterprising hacker discovered a privacy problem in beloved new social app Path yesterday, its creators have issued an update and an apology. “We commit to you that we will continue to be transparent and always serve you our users, first,” CEO Dave Morin writes.

Path was uploading iPhone users’ address books to its servers without asking. Today’s update, version 2.0.6, now prompts users to opt-in to the “Add Friends” feature, which is not mandatory. Path has deleted all the existing contact info from its servers.

This apology is full of refreshing self-consciousness. “As we continue to expand and grow we will make some mistakes along the way,” Morin reminds us. Everybody makes mistakes. And as we wrote yesterday, this was mostly just a procedural mistake. Path added the feature without asking its users first. If it had only alerted its users before uploading their contacts, most would probably have said “yes.”

There are some additional security measures Path could use with this contact information, as Matt Gemmell suggested in yesterday’s thread with Morin. The app could hash the information locally and then upload it. Path hasn’t taken that step yet, but it assures users that the connection is encrypted, and the data are stored behind a firewall. And now that it’s all opt-in, users are in control again.

So Path recovered as gracefully as possible. Do you accept its apology? Or did yesterday’s revelation do too much damage for you to trust the company again? It’s important to remember that you pay for free apps with your data. They’re going to do what they can to collect it, because that’s how they make money.

They should always ask the user for permission first. Apple requires app developers to ask the user for permission before gathering location data, and perhaps it should do the same for contacts. But the bottom line is that responsibility for user data starts with the user.

How much do you care about privacy when it comes to data like this? Is the price of free apps worth it? Share your responses in the comments.

After an enterprising hacker discovered a privacy problem in beloved new social app Path yesterday, its creators have issued an update and an apology. “We commit to you that we will continue to be transparent and always serve you our users, first,” CEO Dave Morin writes.

Path was uploading iPhone users’ address books to its servers without asking. Today’s update, version 2.0.6, now prompts users to opt-in to the “Add Friends” feature, which is not mandatory. Path has deleted all the existing contact info from its servers.

This apology is full of refreshing self-consciousness. “As we continue to expand and grow we will make some mistakes along the way,” Morin reminds us. Everybody makes mistakes. And as we wrote yesterday, this was mostly just a procedural mistake. Path added the feature without asking its users first. If it had only alerted its users before uploading their contacts, most would probably have said “yes.”

There are some additional security measures Path could use with this contact information, as Matt Gemmell suggested in yesterday’s thread with Morin. The app could hash the information locally and then upload it. Path hasn’t taken that step yet, but it assures users that the connection is encrypted, and the data are stored behind a firewall. And now that it’s all opt-in, users are in control again.

So Path recovered as gracefully as possible. Do you accept its apology? Or did yesterday’s revelation do too much damage for you to trust the company again? It’s important to remember that you pay for free apps with your data. They’re going to do what they can to collect it, because that’s how they make money.

They should always ask the user for permission first. Apple requires app developers to ask the user for permission before gathering location data, and perhaps it should do the same for contacts. But the bottom line is that responsibility for user data starts with the user.

How much do you care about privacy when it comes to data like this? Is the price of free apps worth it? Share your responses in the comments.

Path is a lovely app. It pushes all the right buttons. It’s mobile, it’s tactile, it’s personal, it’s full of people we love and moments that matter to us. It makes us feel good. It’s got all the greatest hits a post-Facebook social app should have. It’s also free.

“Facebook will always be free,” it tells us, so free is now the standard. Free apps are expensive, though; we pay with our data. Whenever Facebook or Google messes with our privacy, this is the cost of doing business for free. Path is no different. It’s already using our personal data in ways we didn’t expect. Arun Thampi discovered today that it uploads the entire iPhone address book to its servers. Surprised? Don’t be.

Thampi was using a cool new tool to observe Path’s API calls, just out of curiosity. The first thing that surprised him was a POST request to https://api.path.com/3/contacts/add. When he looked into it, he found that the entire address book – names, email addresses, phone numbers, eerything – was being sent to Path’s servers. He created a new Path and duplicated the results.

It’s a secure exchange of information between Path’s servers and your phone, and it’s not necessarily doing anything flat-out wrong with the information. But Path never asked its users if it can do this. It may be using our contacts for the benefit of our user experience, for finding friends on Path, for example. But we need an explanation.

Why didn’t we know about this until an enterprising hacker stumbled over it by accident? Is this a sign of how Path will treat user data in the future? What do Path’s adoring users do now? Well, they should get used to it. This is the price of free.

We’ve reached out to Path for comment, and we’ll update once we hear back.

Path is a lovely app. It pushes all the right buttons. It’s mobile, it’s tactile, it’s personal, it’s full of people we love and moments that matter to us. It makes us feel good. It’s got all the greatest hits a post-Facebook social app should have. It’s also free.

“Facebook will always be free,” it tells us, so free is now the standard. Free apps are expensive, though; we pay with our data. Whenever Facebook or Google messes with our privacy, this is the cost of doing business for free. Path is no different. It’s already using our personal data in ways we didn’t expect. Arun Thampi discovered today that it uploads the entire iPhone address book to its servers. Surprised? Don’t be.

Thampi was using a cool new tool to observe Path’s API calls, just out of curiosity. The first thing that surprised him was a POST request to https://api.path.com/3/contacts/add. When he looked into it, he found that the entire address book – names, email addresses, phone numbers, eerything – was being sent to Path’s servers. He created a new Path and duplicated the results.

It’s a secure exchange of information between Path’s servers and your phone, and it’s not necessarily doing anything flat-out wrong with the information. But Path never asked its users if it can do this. It may be using our contacts for the benefit of our user experience, for finding friends on Path, for example. But we need an explanation.

Why didn’t we know about this until an enterprising hacker stumbled over it by accident? Is this a sign of how Path will treat user data in the future? What do Path’s adoring users do now? Well, they should get used to it. This is the price of free.

We’ve reached out to Path for comment, and we’ll update once we hear back.